Heap-use-after-free src/jsiValue.c:899 in Jsi_ValueCmp

hope-fly commented 2 years ago

Jsish revision

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS='-fsanitize=address'
make

Test case

var JSEtest = [
  'aa',
  'cc',
  'gg',
  'hhh',
  'ee'
];
'sort:' + JSEtest.sort(function (str, position) {
  return JSEtest.unshift('pop:' + JSEtest.pop());
});
!'concat:' + JSEtest.concat().every(function (E) {
  return console.log('sort:' + JSEtest.sort());
});
console.log('list : ' + JSEtest);
console.log('sort:' + JSEtest.sort());

Execution steps & Output

$ ./jsish/jsish poc.js
/home/f1yh0p/poc.js:9: error: call with undefined var for argument arg 2 'position', in call to function declared at poc.js:8.45 <undefined>.
poc.js:12:  "sort:[object Object]",
poc.js:14:  "list : [object Object]",
=================================================================
==90285==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007128 at pc 0x55757f8ffb23 bp 0x7ffe79b1cbb0 sp 0x7ffe79b1cba0
READ of size 1 at 0x603000007128 thread T0
    #0 0x55757f8ffb22 in Jsi_ValueCmp src/jsiValue.c:899
    #1 0x55757f99e12e in SortSubCmd src/jsiArray.c:964
    #2 0x7f2099f04311  (/lib/x86_64-linux-gnu/libc.so.6+0x42311)
    #3 0x7f2099f0428f  (/lib/x86_64-linux-gnu/libc.so.6+0x4228f)
    #4 0x7f2099f046b5 in qsort_r (/lib/x86_64-linux-gnu/libc.so.6+0x426b5)
    #5 0x55757f9a1611 in jsi_ArraySortCmd src/jsiArray.c:1065
    #6 0x55757f96e818 in jsi_FuncCallSub src/jsiProto.c:244
    #7 0x55757fc3871a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x55757fc3871a in jsiEvalFunction src/jsiEval.c:837
    #9 0x55757fc3871a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x55757fc4c15e in jsi_evalcode src/jsiEval.c:2204
    #11 0x55757fc50274 in jsi_evalStrFile src/jsiEval.c:2665
    #12 0x55757f93f66a in Jsi_Main src/jsiInterp.c:936
    #13 0x55758014403a in jsi_main src/main.c:47
    #14 0x7f2099ee3bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #15 0x55757f8d3969 in _start (/usr/local/bin/jsish+0xe8969)

0x603000007128 is located 8 bytes inside of 32-byte region [0x603000007120,0x603000007140)
freed by thread T0 here:
    #0 0x7f209ab527a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55757f8f46cf in Jsi_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f209ab52d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55757f944aa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:899 in Jsi_ValueCmp
Shadow bytes around the buggy address:
  0x0c067fff8dd0: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8de0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8df0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e00: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8e10: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
=>0x0c067fff8e20: fd fd fa fa fd[fd]fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90285==ABORTING

Credits: Found by OWL337 team.

pcmacdon commented 2 years ago

Duplicate bug

hope-fly commented 2 years ago

Is this issue a duplicate of #85 or some others? I'm not for sure, please give some info. to prevent me from reporting duplicate bugs.

pcmacdon commented 2 years ago

Yes, this bug was fixed by the #85 fix. I am trying to keep track, but there was an onslaught of 40 issues in 1 day.

On Sun, 26 Dec 2021 at 19:41, HopeF1y @.***> wrote:

Is this issue a duplicate of #85 https://github.com/pcmacdon/jsish/issues/85 or some others? I'm not for sure, please give some info. to prevent me from reporting duplicate bugs.

— Reply to this email directly, view it on GitHub https://github.com/pcmacdon/jsish/issues/77#issuecomment-1001315540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE3J7BXGMA5UHYFAMNFHVMLUS7N7XANCNFSM5KWN5W7Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you modified the open/close state.Message ID: @.***>

pcmacdon commented 2 years ago

We're these issues detected via automation?

hope-fly commented 2 years ago

Yes these issues were deteced by a JS fuzzer designed by us.

---Original--- From: @.> Date: Mon, Dec 27, 2021 23:16 PM To: @.>; Cc: @.**@.>; Subject: Re: [pcmacdon/jsish] Heap-use-after-free src/jsiValue.c:899 in Jsi_ValueCmp (Issue #77)

We're these issues detected via automation?

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

pcmacdon / jsish